Recently, the use of application containers has become prevalent as a way of executing applications on a host computer. A container provides for the isolation of a group of processes from the others on an operating system. By making use of existing operating system functionality (such as Linux name spaces), containers maintain their own private view of the operating system, file system structure, and network interfaces. Containers share the operating system kernel with other processes, but can be constrained to some extent to use an amount of resources such as the central processing unit (CPU), random access memory (RAM), or input/output (I/O) devices. Containers have proven advantageous because they typically have a small system “footprint.” That is, containers provide a relatively thin encapsulation layer above and beyond any applications contained therein. Thus, instantiation and deployment of containers is relatively quick.
Virtual machines, on the other hand, tend to deploy more slowly than containers. This is due to the fact that virtual machines are a software abstraction of a physical computer. Thus, a virtual machine typically includes a guest operating system and a virtual hardware platform. These virtualized system components are not present in containers.
However, virtual machines are advantageous because a higher degree of isolation and security may be achieved between virtual machines as opposed to the degree of isolation that may be achieved between containers. This is due to the filet that containers run on the same kernel; thus problems from one container may “infect” other containers. In addition, while containers may be configured to use a certain amount of system resources, it is possible for a malicious application executing in a container to circumvent such restrictions and monopolize CPU, storage, or I/O resources. By contrast, virtual machines allow system administrators to separately configure each virtual machine in a cloud environment to receive a predefined allocation of system resources. For example, in some cases, a virtual machine may be configured to receive a guaranteed minimum allocation of CPU resources. In other cases, a virtual machine may be configured to receive a constant relative share of available CPU resources. This isolation and security provided by virtual machines is especially important in multi-tenant cloud-based computing environments.
Further, because the application programming interface (API) that a hypervisor uses to execute a virtual machine is more limited than the API of a general purpose kernel operating system, virtual machines tend to have a smaller attack surface than a shared kernel. Thus, it is generally more difficult to compromise a virtual machine executing under control of a hypervisor than it is to compromise a container running under the control of a shared kernel. Further, even if a virtual machine is compromised, superior isolation of virtual machines prevents the compromised virtual machine from affecting other virtual machines. Finally, there exists a rich set of management tools directed to virtual machine environments that is lacking in containerized environments.
Therefore, cloud-based computing environments are often faced with a choice between rapidly deployable, but weakly isolated and unsecure, containers, and strongly isolated and highly secure, but slowly deployed, virtual machines.